debug User-Profile
MichaelLeung
gbcbooksmj at gmail.com
Fri Mar 18 09:55:20 CET 2016
finially, i config out how it works
first, edit mods-available/ldap
in global section
add:
valuepair_attribute = "radiusReplyItem"
in profile section
uncommecnt and change the default values
profile {
default = "%{control:User-Profile}"
}
go to policy.d/ directory
create a policy , whatever your name it
whatevername {
if (Ldap-Group == "groupname in LDAP, or DN") {
update {
$control:User-Profile == "profile dn in LDAP"
}
updated
}
else {
reject
}
}
go to site-available/ directory
edit the virtual server you want
in the authorize section
add the policy in to it
On 03/18/2016 02:07 PM, MichaelLeung wrote:
> i find this in wiki.freeradius.org
>
>
> LDAP ATTRIBUTES
>
> In version 2, the mapping between RADIUS attributes
> <http://wiki.freeradius.org/protocol/Attributes> and LDAP
> <http://wiki.freeradius.org/protocol/LDAP> attributes is in
> raddb/ldap.attrmap. You can edit that file and add any new mapping
> that you may need. The LDAP-schema file is located in
> doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the ldap
> server schema should be updated.
>
> All ldap entries containing radius attributes should contain at least
> "objectclass: radiusprofile"
>
> radiusCheckItem and radiusReplyItem are special. They allow the
> administrator to add any check or reply item respectively without
> adding it in the ldap schema. The format should be:
>
> ldap-attribute: radius-attribute operator value
>
> The version 3 attribute mapping is in the module configuration file
> |raddb/mods-available/ldap|
>
> For Example:
>
> radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
>
>
> but i dont understand , if we mapping the radius attr and ldap attr,
> then give it a values , why do we stored the replyitem in LDAP.
>
>
> On 03/18/2016 01:46 PM, MichaelLeung wrote:
>> does freeradius 3.0.4 still have ldap.attrmap ?
>>
>> On 03/18/2016 12:46 PM, MichaelLeung wrote:
>>> how can i get radiusReplyItem from LDAP?
>>>
>>> On 03/18/2016 09:25 AM, MichaelLeung wrote:
>>>> any help ?
>>>>
>>>> On 03/17/2016 05:31 PM, MichaelLeung wrote:
>>>>> any reply ?
>>>>>
>>>>> On 03/17/2016 03:20 PM, MichaelLeung wrote:
>>>>>> well , i define a ldap-group check policy
>>>>>>
>>>>>> #
>>>>>> devicemanager_check {
>>>>>> if (Ldap-Group == "DeviceManager") {
>>>>>> update reply {
>>>>>> &User-Profile :=
>>>>>> "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
>>>>>> }
>>>>>> }
>>>>>> elsif (Ldap-Group == "Device_Write") {
>>>>>> update reply {
>>>>>> &Reply-Message += "Welcome,Device Operator"
>>>>>> }
>>>>>> }
>>>>>> elsif (Ldap-Group == "Device_Reivew") {
>>>>>> update reply {
>>>>>> &Reply-Message += "Welcome Device Reviewer"
>>>>>> }
>>>>>> }
>>>>>> else {
>>>>>> update reply {
>>>>>> &Reply-Message += "you are not authorized
>>>>>> to access , please confirm that you have the permission..."
>>>>>> }
>>>>>> reject
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> i am not sure that user override the User-Profile or not.
>>>>>>
>>>>>>
>>>>>> On 03/17/2016 10:56 AM, MichaelLeung wrote:
>>>>>>> hi list
>>>>>>>
>>>>>>> my freeradius version is 3.0.4
>>>>>>>
>>>>>>> i have enabled ldap modules and the radius profile feature of it .
>>>>>>>
>>>>>>> and i need to check the user is in the speacific Ldap-Group, and
>>>>>>> assign the User-Profile which contain all radius Reply-Items in it .
>>>>>>> so when my NAS try to authenticate , i can only see radius -X
>>>>>>> responding :
>>>>>>> (0) Sending Access-Accept packet to host 10.1.1.13 port 1812,
>>>>>>> id=96, length=0
>>>>>>> (0) User-Profile :=
>>>>>>> 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
>>>>>>> it was not going to print out what reply item the User-Profile
>>>>>>> contained.
>>>>>>> and actually, i define the reply item as
>>>>>>> Huawei-Exec-Privilege := "15"
>>>>>>> it will give the highest admin right to the user belong to Group
>>>>>>> Device_Superior to Operate the Device .
>>>>>>>
>>>>>>> how can i debug the User-Profile?
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the Freeradius-Users
mailing list